> I assume that the second of these now does mean that we can avoid navigation from within beforeunload itself, right?
Yes, and we do. See nsDocShell::IsNavigationAllowed. > we don't unload the current document (ie we don't hit the first cited condition) until we start getting a response for the initial navigation That's correct. It has to be that way, because the response could be a type that we'd hand off to a helper app instead of handling internally, so we can't know whether we'll be unloading at all until we get the response headers. I too would be interested in what other browsers do. Conceptually, treating "user-triggered" and "page just randomly did it" navigations differently makes sense to me. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1638610 Title: Dependency of JavaScript objects is Misconfigured Browser Crashes. Status in Mozilla Firefox: Confirmed Status in firefox package in Ubuntu: Confirmed Bug description: Hey Team , The bug i want to mention here is a denial of service attack that will not allow any kind of redirection on a page crafted by attacker where we have used hyper-links(ahref). The bug can be maliciously used by crafting an HTML file by an attacker and then sending it to the victim clearly showing there is a hyper-link that redirects to lets say (google.com) through status bar but it will not , instead cause denial of service , browser's also hang up and Crashes. I have tested it on the Very Latest Version of Ubuntu LTS Default Browser. Reason: The following script stops the page from being redirected: window.onbeforeunload = function(){ //Unredirectable Page setTimeout("window.location=document.location;",0); } Demo URL : http://hackies.in/Unredirect-Browsers-Test.html Actual results: It should redirect me to the new page , where as it don't redirect to a new page and the browsers Hangs up. Expected results: So dependency of JavaScript objects(window.document) on Href attribute should not be there. Attached POC for References To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1638610/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
